Bits |
Quantifying Privacy: A Week of Location Data May Be an ‘Unreasonable Search’

Site Search Navigation

Site Navigation

Site Mobile Navigation

Quantifying Privacy: A Week of Location Data May Be an ‘Unreasonable Search’

By Steve Lohr May 31, 2014 8:00 amMay 31, 2014 8:00 am

Photo

Credit The New York Times

When does the simple digital tracking of your location and movements — the GPS bleeps from most of our smartphones — start to be truly revealing? When do the data points and inferences that can be drawn from it strongly suggest, say, trips to a psychiatrist, a mosque, an abortion clinic, a strip club or an AIDS treatment center?

The answer, according to a new research paper, is about a week, when the data portrait of a person becomes sufficiently detailed to qualify as an “unreasonable search” and a potential violation of an individual’s Fourth Amendment rights.

The research paper, a collaboration of computer scientists and lawyers, wades into the debate over the legal and policing implications of modern data collection and analysis technology. It explores what in legal circles is called the “mosaic theory” of the Fourth Amendment, which essentially states that when linked and analyzed by software, a much richer picture emerges from combined information than from discrete data points.

“It’s not the direct observation,” said Steven M. Bellovin, one of the paper’s co-authors and a computer science professor at Columbia University, a computer security and privacy expert and a former chief technologist of the Federal Trade Commission. “It’s what can be inferred.”

The main technology for making these inferences is machine learning, a branch of artificial intelligence. In the paper, the authors write that their goal was “to identify the threshold at which enough is enough — the point at which long-term government surveillance becomes objectively unreasonable.” In the interview, Mr. Bellovin observed, “We put it at a week, based on our research.”

One reason the technology works so well, Mr. Bellovin said, is that people help, by following patterns of movement that are quite predictable. When combined with other data, the result is something close to a movement fingerprint — that is, surprisingly distinctive and identifying.

The 74-page paper, “When Enough Is Enough: Location Tracking, Mosaic Theory, and Machine Learning,” has been published in the current edition of the New York University Journal of Law and Liberty. Its co-authors, in addition to Mr. Bellovin, are: Renee M. Hutchins, an associate professor at the University of Maryland Carey School of Law; Tony Jebara, an associate professor of computer science at Columbia, and a machine learning expert; and Sebastian Zimmeck, a Ph.D. candidate in computer science at Columbia, who is also a lawyer.

The issue of when location data and analysis might constitute a violation of the Fourth Amendment came up most prominently in a Supreme Court case, United States v. Jones, in 2012. The Supreme Court discussed the data-privacy issues, but it decided the case based on other grounds. In the case, Antoine Jones, a nightclub owner in Washington, D.C., was suspected by the police of dealing drugs. The local police, working with federal agents, put a GPS tracking device on his car, without a warrant, and gathered his location data for four weeks.

Mr. Jones was initially convicted of drug trafficking conspiracy, based in part on thousands of pages of location information sent from the GPS tracker over 28 days. The Supreme Court ruled for Mr. Jones, saying his Fourth Amendment rights had been violated because placing the GPS device on his car, without a warrant and without his knowledge, was “an unauthorized physical intrusion,” as if someone had come into his home.

But the justices discussed the subject of modern data tracking and its potential to reveal “intimate facts” about a person’s life. Justice Sonia Sotomayor wrote that based on data trails, it would be possible to detect trips of an “indisputably private nature.” In her list that would take “little imagination to conjure,” she cited the trips to a psychiatrist, abortion clinic, AIDS treatment center, strip club and mosque — mentioned above — but she also included trips to a criminal defense lawyer, a by-the-hour motel and a union meeting.

Justice Samuel Alito stated that four weeks of location data collection, without a warrant, was “surely too long,” in that it would be enough for a detailed portrait of a person’s behavior. But Justice Antonin Scalia noted in his majority opinion that “it remains unexplained why a four-week investigation is ‘surely too long.’ ”

“That’s a fair critique,” observed Ms. Hutchins, the University of Maryland law professor. “We wanted to see what the science showed.”

Photo

Yasir Afifi in 2011 showing where he found a Global Positioning System device the police had put on his car. The Supreme Court ruled a year later that similar instances of authorities placing GPS devices on people's cars without warrants was unconstitutional.Credit Paul Sakuma/Associated Press

The 2012 court case was exceptional in that it involved a location tracking device surreptitiously affixed to someone’s car by the police. Most of us willingly carry our own tracking devices, smartphones. You can turn off the GPS tracking, but then you lose all location services like Foursquare and the Google Maps feature that guides you to a destination.

There are some state-by-state differences, Mr. Bellovin said, but in most of the country, if a law-enforcement agency asks a mobile carrier for location data from cell towers, it gets it. Often, he said, the location information is disclosed without a subpoena, but even getting a subpoena requires only that the police certify to a judge that the information is “relevant to an ongoing investigation.” By contrast, a search warrant requires “probable cause” and “particularity,” meaning the name of a person and a location.

The one-week threshold identified in the research paper would change police practice, especially at a time when big data technology is being applied to the emerging field of “predictive policing.” Today, predictive policing software forecasts — almost like a weather forecast — where crimes are more likely to occur and when, rather than who specifically might commit a crime.

But Mr. Bellovin suggests that the vision of the 2002 movie “Minority Report,” based on a short story by Philip K. Dick, of “pre-crime” squads identifying people likely to commit crimes is getting less fantastic all the time.

“It’s science fiction,” he said, “but we’re not that far from there in certain circumstances.” Paraphrasing the Vichy police captain played by Claude Rains in the movie “Casablanca,” Mr. Bellovin said, “Round up the probable suspects, based on the data.”

What can be done with data now and in the near-future, Mr. Bellovin said, is why the subject of its collection and use in law enforcement is important. “We need to have a public debate about this,” he said.